[{"data":1,"prerenderedAt":217},["ShallowReactive",2],{"blog-guides/upstash":3},{"id":4,"title":5,"body":6,"category":196,"date":197,"dateModified":197,"description":198,"draft":199,"extension":200,"faq":201,"featured":199,"headerVariant":202,"image":201,"keywords":203,"meta":204,"navigation":205,"ogDescription":206,"ogTitle":201,"path":207,"readTime":208,"schemaOrg":209,"schemaType":210,"seo":211,"sitemap":212,"stem":213,"tags":214,"twitterCard":215,"__hash__":216},"blog/blog/guides/upstash.md","Upstash Security Guide for Vibe Coders",{"type":7,"value":8,"toc":184},"minimark",[9,16,21,24,28,39,44,50,54,60,64,70,80,85,113,135,139,153,172],[10,11,12],"tldr",{},[13,14,15],"p",{},"Upstash provides serverless Redis and Kafka over HTTP. Store your REST API token securely in environment variables. Use read-only tokens for public-facing apps when possible. Scope cache keys to users to prevent data leaks. Don't cache sensitive data without encryption. The Ratelimit library is powerful but needs proper identifier selection (user ID, not just IP) to prevent bypass.",[17,18,20],"h2",{"id":19},"why-upstash-security-matters-for-vibe-coding","Why Upstash Security Matters for Vibe Coding",[13,22,23],{},"Upstash Redis is popular for caching, rate limiting, and session storage in serverless environments. When AI tools generate caching code, they often create functional patterns but miss key scoping and data sensitivity concerns. Improperly scoped cache keys can leak data between users.",[17,25,27],{"id":26},"token-management","Token Management",[29,30,35],"pre",{"className":31,"code":33,"language":34},[32],"language-text","# .env.local (never commit)\nUPSTASH_REDIS_REST_URL=https://xxx.upstash.io\nUPSTASH_REDIS_REST_TOKEN=AXxxxxxxxxxxxx\n","text",[36,37,33],"code",{"__ignoreMap":38},"",[40,41,43],"h3",{"id":42},"using-read-only-tokens","Using Read-Only Tokens",[29,45,48],{"className":46,"code":47,"language":34},[32],"import { Redis } from '@upstash/redis';\n\n// Read-only client for public data\nconst publicRedis = new Redis({\n  url: process.env.UPSTASH_REDIS_REST_URL,\n  token: process.env.UPSTASH_REDIS_REST_TOKEN_READONLY,\n});\n\n// Full access client for server-side mutations\nconst redis = new Redis({\n  url: process.env.UPSTASH_REDIS_REST_URL,\n  token: process.env.UPSTASH_REDIS_REST_TOKEN,\n});\n",[36,49,47],{"__ignoreMap":38},[17,51,53],{"id":52},"secure-key-scoping","Secure Key Scoping",[29,55,58],{"className":56,"code":57,"language":34},[32],"// DANGEROUS: Global cache keys\nconst userData = await redis.get('user-profile'); // Which user?!\n\n// SAFE: User-scoped keys\nconst userId = session.user.id;\nconst userData = await redis.get(`user:${userId}:profile`);\n\n// SAFE: Validated and scoped\nfunction getUserCacheKey(userId: string, dataType: string): string {\n  const allowedTypes = ['profile', 'preferences', 'notifications'];\n  if (!allowedTypes.includes(dataType)) {\n    throw new Error('Invalid data type');\n  }\n  return `user:${userId}:${dataType}`;\n}\n",[36,59,57],{"__ignoreMap":38},[17,61,63],{"id":62},"secure-rate-limiting","Secure Rate Limiting",[29,65,68],{"className":66,"code":67,"language":34},[32],"import { Ratelimit } from '@upstash/ratelimit';\nimport { Redis } from '@upstash/redis';\n\nconst ratelimit = new Ratelimit({\n  redis: new Redis({\n    url: process.env.UPSTASH_REDIS_REST_URL,\n    token: process.env.UPSTASH_REDIS_REST_TOKEN,\n  }),\n  limiter: Ratelimit.slidingWindow(10, '10 s'),\n});\n\nexport async function POST(request: Request) {\n  // BEST: Use authenticated user ID\n  const session = await getSession(request);\n  const identifier = session?.user?.id || getIPAddress(request);\n\n  const { success } = await ratelimit.limit(identifier);\n\n  if (!success) {\n    return Response.json({ error: 'Rate limit exceeded' }, { status: 429 });\n  }\n\n  // Process request...\n}\n",[36,69,67],{"__ignoreMap":38},[71,72,73],"warning-box",{},[13,74,75,79],{},[76,77,78],"strong",{},"Common AI-Generated Mistake:"," AI tools often use only IP addresses for rate limiting. This can be bypassed with VPNs or proxies. Always prefer authenticated user IDs when available, falling back to IP for unauthenticated endpoints.",[81,82,84],"h4",{"id":83},"upstash-security-checklist","Upstash Security Checklist",[86,87,88,92,95,98,101,104,107,110],"ul",{},[89,90,91],"li",{},"REST tokens stored in environment variables",[89,93,94],{},"Read-only tokens used for public-facing operations",[89,96,97],{},"Cache keys scoped to authenticated users",[89,99,100],{},"No user-controlled cache keys without validation",[89,102,103],{},"Sensitive data encrypted before caching",[89,105,106],{},"Rate limiting uses server-verified identifiers",[89,108,109],{},"TTLs set appropriately for sensitive data",[89,111,112],{},"No sensitive data in cache key names",[114,115,116,123,129],"faq-section",{},[117,118,120],"faq-item",{"question":119},"Is Upstash Redis encrypted?",[13,121,122],{},"Yes, Upstash encrypts data in transit (TLS) and at rest. For highly sensitive data, implement application-level encryption as well.",[117,124,126],{"question":125},"Can I use Upstash for session storage?",[13,127,128],{},"Yes, Upstash is well-suited for session storage. Use cryptographically random session IDs and set appropriate TTLs.",[117,130,132],{"question":131},"How do I rotate Upstash tokens?",[13,133,134],{},"Generate a new token in the Upstash console, update your environment variables, redeploy, then revoke the old token. Consider using multiple tokens during rotation to avoid downtime.",[17,136,138],{"id":137},"what-checkyourvibe-detects","What CheckYourVibe Detects",[86,140,141,144,147,150],{},[89,142,143],{},"REST tokens exposed in client-side code",[89,145,146],{},"Cache keys without user scoping",[89,148,149],{},"Rate limiting with easily-spoofed identifiers",[89,151,152],{},"Sensitive data cached without encryption",[154,155,156,162,167],"related-articles",{},[157,158],"related-card",{"description":159,"href":160,"title":161},"Row-level security and auth patterns","/blog/guides/supabase","Supabase Security Guide",[157,163],{"description":164,"href":165,"title":166},"Environment variables and edge security","/blog/guides/vercel","Vercel Security Guide",[157,168],{"description":169,"href":170,"title":171},"Best practices for key management","/blog/how-to/secure-api-keys","Secure API Keys",[173,174,177,181],"cta-box",{"href":175,"label":176},"/","Start Free Scan",[17,178,180],{"id":179},"scan-your-upstash-integration","Scan Your Upstash Integration",[13,182,183],{},"Find token exposure, cache key issues, and rate limiting vulnerabilities before they reach production.",{"title":38,"searchDepth":185,"depth":185,"links":186},2,[187,188,192,193,194,195],{"id":19,"depth":185,"text":20},{"id":26,"depth":185,"text":27,"children":189},[190],{"id":42,"depth":191,"text":43},3,{"id":52,"depth":185,"text":53},{"id":62,"depth":185,"text":63},{"id":137,"depth":185,"text":138},{"id":179,"depth":185,"text":180},"guides","2026-02-02","Secure your Upstash Redis and Kafka when vibe coding. Learn token management, data encryption, rate limiting patterns, and secure caching strategies.",false,"md",null,"blue","Upstash security, serverless Redis security, vibe coding cache, Upstash rate limiting, Redis security",{},true,"Secure your Upstash Redis with proper token management and data handling.","/blog/guides/upstash","9 min read","[object Object]","TechArticle",{"title":5,"description":198},{"loc":207},"blog/guides/upstash",[],"summary_large_image","LPV__q07DgpFe7MEosJHJBR9d-Vx07nzJ-nOQ5zC23E",1775843929082]